Privacy Policy for SubAudit

Effective Date: 25 March 2026

1. Who We Are

SubAudit is a subscription monitoring platform that helps users track recurring payments, get renewal reminders, and gain spend insights. Our service is available at https://subaudit.app.

Data controller: SubAudit (registered company details to be confirmed — see support@subaudit.app for enquiries).

This policy is issued under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

For privacy inquiries, contact us at: support@subaudit.app

2. Information We Collect

We collect information necessary to provide our subscription monitoring service. The data we process falls into distinct categories depending on the features you use.

2.1 Account Information

• Registration data: Name, email address, country, and preferred currency provided during sign-up.
• Authentication data: If you sign in with Google or Apple, we receive your name and email from those providers. We store OAuth tokens to maintain your session.
• Password: For email/password login, passwords are stored as secure hashes using bcrypt (never in plain text).

2.2 Gmail Data (Email Scanning)

When you connect your Gmail account, we use the Gmail API to scan for subscription-related emails (receipts, confirmations, renewal notices). This is a separate processing activity from bank data. We:

• Request read-only access to your messages using OAuth 2.0
• Search for subscription-related keywords and patterns
• Extract only the relevant subscription details (service name, price, date)
• Do NOT store raw email content – we process emails transiently and store only extracted subscription metadata
• Store OAuth refresh tokens securely to maintain your connection (you can revoke access at any time)

2.3 Bank Data (Open Banking via Salt Edge)

When you connect a bank account, we use Salt Edge as our regulated bank connectivity provider. This is a separate processing activity from Gmail scanning. The connection provides:

• Read-only account information access – SubAudit cannot initiate payments, move funds, or modify your accounts
• Transaction data used solely to detect recurring payments, direct debits, and subscriptions
• The connection is established via a redirect-based flow: you authenticate directly with your bank through Salt Edge's interface. SubAudit never sees or stores your bank login credentials.
• You can disconnect your bank connection at any time from the Account page

2.4 Manually Added Subscription Data

• Service names, prices, billing cycles, renewal dates, and categories you enter

2.5 Usage and Technical Data

• Product interactions: Features used, scan triggers, settings changes – to improve reliability
• Error and audit logs: Diagnostic information when errors occur – for troubleshooting and security monitoring
• Session data: Temporary session identifiers for authentication

2.6 Mobile App Data (iOS/Android)

When you use our mobile apps:

• Push notification tokens: Device identifiers for sending renewal reminders. Deleted when you disable notifications or uninstall the app.
• Device identifiers: Anonymous IDs for analytics. Not used for advertising or cross-app tracking.
• Biometric data: Face ID, Touch ID, or fingerprint authentication is processed entirely on your device. We never receive, store, or transmit your biometric data.
• Camera/photos: Receipt photos are processed locally. Images are not uploaded unless you explicitly share them.
• Offline cache: Subscription data cached locally for offline access. Encrypted and deleted on logout or uninstall.

3. Lawful Basis for Processing

Under the UK GDPR, we rely on the following lawful bases:

• Consent (Article 6(1)(a)): For Gmail email scanning – you explicitly grant access via OAuth before any scanning occurs. You may withdraw consent at any time by disconnecting Gmail from the Account page or revoking access in your Google Account permissions.
• Consent (Article 6(1)(a)): For bank data access via Salt Edge – you explicitly authorise the connection through the redirect-based authentication flow. You may withdraw consent at any time by disconnecting your bank from the Account page.
• Performance of a contract (Article 6(1)(b)): For processing account data and manually entered subscriptions necessary to provide the service you signed up for.
• Legitimate interests (Article 6(1)(f)): For service improvement, security monitoring, and generating anonymised aggregate insights. Our legitimate interest is to improve the accuracy and reliability of subscription detection. This does not override your fundamental rights and freedoms.

4. How We Use Your Information

• Provide the service: Detect subscriptions, display your dashboard, send renewal reminders, show spend insights
• Improve accuracy: Enhance email parsing and subscription detection algorithms
• Community insights: Generate anonymised, aggregated statistics (e.g., average prices) without identifying individuals
• Communications: Send transactional emails (welcome, password reset)
• Security: Detect and prevent abuse, unauthorised access, and fraud

5. Gmail API and Google Data

SubAudit's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements:

• We request only the minimum scopes needed to find subscription receipts
• We do not sell or share your email content with third parties
• We do not use email data for advertising purposes
• Access to Google user data is limited to providing and improving subscription tracking features

6. Data Sharing and Third Parties

We share data only as necessary to operate the service:

• Salt Edge: Regulated bank connectivity provider for read-only account information access. Salt Edge is authorised under applicable financial regulations to provide account information services.
• Vercel: Our hosting provider for web application deployment
• Database provider: PostgreSQL database hosting for persistent data storage
• Email provider: SMTP/SendGrid for transactional emails (welcome, password reset)
• Google APIs: For Gmail OAuth authentication and email scanning (with your explicit consent)
• Apple Sign-In: For Apple authentication (if you choose this login method)

We do not sell your personal data to third parties. We do not share your data for advertising purposes.

7. International Data Transfers

Some of our service providers may process data outside the United Kingdom. Where transfers occur, we ensure appropriate safeguards are in place in accordance with UK GDPR, such as standard contractual clauses or adequacy decisions recognised by the UK government.

8. Security Measures

We implement security measures to protect your data:

• Encryption in transit: All data transmitted via HTTPS/TLS
• OAuth 2.0: Secure token-based authentication for Gmail access (read-only)
• Redirect-based bank authentication: You authenticate directly with your bank via Salt Edge; SubAudit never sees your bank credentials
• Password hashing: Secure one-way hashing using bcrypt
• No raw email storage: Full email content is never persisted
• No financial credentials stored: SubAudit does not store bank login details
• Access controls: Limited access to user data by authorised processes only
• Session management: Secure cookies with appropriate expiration

While we take reasonable precautions, no system is 100% secure. We encourage you to use strong passwords and protect your account credentials.

9. Data Retention

We retain data only as long as necessary for the purposes described in this policy:

• Account and subscription data: Retained while your account is active
• OAuth tokens (Gmail): Retained until you disconnect Gmail or revoke access
• Bank connection tokens: Retained until you disconnect your bank account
• Audit logs: Retained for 12 months for security and compliance purposes
• Scan metadata: Retained for 90 days

Account deletion:

• You can delete your account from the Account/Profile page in the app
• Deletion removes your subscriptions, alerts, linked email tokens, bank connections, and personal data
• Alternatively, email support@subaudit.app to request deletion
• Data is permanently removed within 30 days of a deletion request

10. Your Data Subject Rights

Under the UK GDPR, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete personal data
• Right to erasure: Request deletion of your personal data (subject to legal obligations)
• Right to restriction of processing: Request that we limit how we use your data in certain circumstances
• Right to data portability: Receive your data in a structured, commonly used, machine-readable format (e.g., CSV export)
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

How to Disconnect Services

• Disconnect Gmail: Go to your Account page and click "Unlink" next to your connected Gmail account. You can also revoke access from your Google Account permissions.
• Disconnect bank: Go to your Account page and click "Disconnect" next to your connected bank account. This immediately stops data retrieval via Salt Edge.

To exercise any of these rights, contact support@subaudit.app. We will respond within one month of receiving your request, as required by the UK GDPR.

11. Children's Privacy

SubAudit is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us at support@subaudit.app and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the app or email. Your continued use of SubAudit after changes constitutes acceptance of the updated policy.

13. Complaints and Supervisory Authority

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

• Website: https://ico.org.uk
• Helpline: 0303 123 1113

We would appreciate the opportunity to address your concerns before you approach the ICO. Please contact us first at support@subaudit.app.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your data:

• Email: support@subaudit.app

Website: https://subaudit.app